ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). For Indian organisations selling globally, it is often the first formal certification pursued — recognized in nearly every market, scoped flexibly, and well-understood. This module covers what ISO 27001 actually requires, the implementation timeline, and the operational realities of getting and keeping certified.

What ISO 27001 actually is

An ISMS standard — an system for managing security, not a checklist of controls
Process-oriented: requires risk assessment, treatment plans, continuous improvement
Annex A includes 93 reference controls (down from 114 in the 2013 version) you may select from
Certifiable by accredited bodies (BSI, DNV, TUV, BSI India, etc.)
3-year cycle: initial certification audit, surveillance audits years 2 and 3, recertification at year 4

The required documents

ISO 27001 requires specific documented information:

ISMS scope statement — which parts of the org are in scope
Information security policy
Risk assessment methodology
Risk assessment report
Risk treatment plan
Statement of Applicability (SoA) — for each Annex A control: applicable yes/no, justification, implementation status
Internal audit programme
Management review records
Corrective action records
Various procedure documents — incident response, access management, change management, etc.

The 2022 control structure

Annex A controls in 27001:2022 are organized into 4 themes (down from 14 in 2013):

Organisational (37 controls) — policies, roles, supplier relationships, threat intelligence
People (8 controls) — screening, training, NDA, disciplinary process
Physical (14 controls) — perimeters, equipment, secure disposal
Technological (34 controls) — access management, crypto, logging, web filtering, secure coding

11 new controls added in 2022 reflect cloud + supply chain reality: Threat Intelligence (5.7), Information Security for Cloud Services (5.23), ICT Readiness for Business Continuity (5.30), Configuration Management (8.9), Web Filtering (8.23), Secure Coding (8.28), and others.

The Statement of Applicability — the heart of the certification

For every Annex A control, the SoA documents:

Whether it applies (yes/no)
Justification for the decision
Implementation reference (which procedure / system delivers it)
Implementation status (planned, partially implemented, fully implemented)

Auditors use the SoA as their map. A weak SoA — vague justifications, untraceable implementations — fails certification. A clean SoA accelerates audit dramatically.

Implementation timeline (realistic)

For a 50-200 employee Indian company with no prior ISMS:

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 27% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

8 more sections locked below

Module 2 · ISO 27001:2022 Implementation 🔒

What ISO 27001 actually is

The required documents

The 2022 control structure

The Statement of Applicability — the heart of the certification

Implementation timeline (realistic)

Continue reading with Basic tier (₹499/month)

Other modules in this track

Module 1 · GRC Fundamentals <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 4 · Third-Party Risk Management <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 3 · SOC 2 for Indian SaaS <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>